XOOPS /
XoopsCore25
| Conditions | 75 |
| Paths | > 20000 |
| Total Lines | 211 |
| Code Lines | 117 |
| Lines | 0 |
| Ratio | 0 % |
| Changes | 1 | ||
| Bugs | 1 | Features | 0 |
Small methods make your code easier to understand, in particular if combined with a good name. Besides, if your method is small, finding a good name is usually much easier.
For example, if you find yourself adding comments to a method's body, this is usually a good sign to extract the commented part to a new method, and use the comment as a starting point when coming up with a good name for this new method.
Commonly applied refactorings include:
If many parameters/temporary variables are present:
| 1 | <?php |
||
| 8 | function protector_postcommon() |
||
| 9 | { |
||
| 10 | global $xoopsUser, $xoopsModule; |
||
| 11 | |||
| 12 | $uname = Request::getString('uname', '', 'POST'); |
||
| 13 | $pass = Request::getString('pass', '', 'POST'); |
||
| 14 | $autologin_uname = Request::getString('autologin_uname', '', 'COOKIE'); |
||
| 15 | $autologin_pass = Request::getString('autologin_pass', '', 'COOKIE'); |
||
| 16 | |||
| 17 | // patch for 2.2.x from xoops.org (I know this is not so beautiful...) |
||
| 18 | if (defined('XOOPS_VERSION') && substr(XOOPS_VERSION, 6, 3) > 2.0) { |
||
| 19 | $requestUri = Request::getString('REQUEST_URI', '', 'SERVER'); // Fetch the REQUEST_URI from the server superglobal |
||
| 20 | if (false !== stripos($requestUri, 'modules/system/admin.php?fct=preferences')) { |
||
| 21 | /** @var XoopsModuleHandler $module_handler */ |
||
| 22 | $module_handler = xoops_getHandler('module'); |
||
| 23 | |||
| 24 | // Fetch the 'mod' parameter from the GET request and cast it to an integer |
||
| 25 | $mod = Request::getInt('mod', 0, 'GET'); |
||
| 26 | |||
| 27 | /** @var XoopsModule $module */ |
||
| 28 | $module = 0 !== $mod ? $module_handler->get($mod) : null; |
||
| 29 | |||
| 30 | if (is_object($module)) { |
||
| 31 | $module->getInfo(); |
||
| 32 | } |
||
| 33 | } |
||
| 34 | } |
||
| 35 | |||
| 36 | // configs writable check |
||
| 37 | $requestUriForWritableCheck = Request::getString('REQUEST_URI', '', 'SERVER'); |
||
| 38 | if ($requestUriForWritableCheck === '/admin.php' && !is_writable(dirname(__DIR__) . '/configs')) { |
||
| 39 | trigger_error('You should turn the directory ' . dirname(__DIR__) . '/configs writable', E_USER_WARNING); |
||
| 40 | } |
||
| 41 | |||
| 42 | // Protector object |
||
| 43 | require_once dirname(__DIR__) . '/class/protector.php'; |
||
| 44 | $db = XoopsDatabaseFactory::getDatabaseConnection(); |
||
| 45 | $protector = Protector::getInstance(); |
||
| 46 | $protector->setConn($db->conn); |
||
| 47 | $protector->updateConfFromDb(); |
||
| 48 | $conf = $protector->getConf(); |
||
| 49 | if (empty($conf)) { |
||
| 50 | return true; |
||
| 51 | } // not installed yet |
||
| 52 | |||
| 53 | // phpmailer vulnerability |
||
| 54 | // http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/ |
||
| 55 | if (in_array(substr(XOOPS_VERSION, 0, 12), ['XOOPS 2.0.16', 'XOOPS 2.0.13', 'XOOPS 2.2.4'])) { |
||
| 56 | /** @var XoopsConfigHandler $config_handler */ |
||
| 57 | $config_handler = xoops_getHandler('config'); |
||
| 58 | $xoopsMailerConfig = $config_handler->getConfigsByCat(XOOPS_CONF_MAILER); |
||
| 59 | if ($xoopsMailerConfig['mailmethod'] === 'sendmail' && md5_file(XOOPS_ROOT_PATH . '/class/mail/phpmailer/class.phpmailer.php') === 'ee1c09a8e579631f0511972f929fe36a') { |
||
| 60 | echo '<strong>phpmailer security hole! Change the preferences of mail from "sendmail" to another, or upgrade the core right now! (message by protector)</strong>'; |
||
| 61 | } |
||
| 62 | } |
||
| 63 | |||
| 64 | // global enabled or disabled |
||
| 65 | if (!empty($conf['global_disabled'])) { |
||
| 66 | return true; |
||
| 67 | } |
||
| 68 | |||
| 69 | // group1_ips (groupid=1) |
||
| 70 | if (is_object($xoopsUser) && in_array(1, $xoopsUser->getGroups())) { |
||
| 71 | $group1_ips = $protector->get_group1_ips(true); |
||
| 72 | if (implode('', array_keys($group1_ips))) { |
||
| 73 | $group1_allow = $protector->ip_match($group1_ips); |
||
| 74 | if (empty($group1_allow)) { |
||
| 75 | die('This account is disabled for your IP by Protector.<br>Clear cookie if you want to access this site as a guest.'); |
||
| 76 | } |
||
| 77 | } |
||
| 78 | } |
||
| 79 | |||
| 80 | // reliable ips |
||
| 81 | $remoteAddr = Request::getString('REMOTE_ADDR', '', 'SERVER'); |
||
| 82 | $reliable_ips = isset($conf['reliable_ips']) ? unserialize($conf['reliable_ips'], ['allowed_classes' => false]) : null; |
||
| 83 | |||
| 84 | if (is_array($reliable_ips)) { |
||
| 85 | foreach ($reliable_ips as $reliable_ip) { |
||
| 86 | if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $remoteAddr)) { |
||
| 87 | return true; |
||
| 88 | } |
||
| 89 | } |
||
| 90 | } |
||
| 91 | |||
| 92 | // user information (uid and can be banned) |
||
| 93 | $can_ban = true; |
||
| 94 | $uid = 0; |
||
| 95 | |||
| 96 | if (isset($xoopsUser) && is_object($xoopsUser)) { |
||
| 97 | $uid = $xoopsUser->getVar('uid'); |
||
| 98 | $userGroups = $xoopsUser->getGroups(); |
||
| 99 | $bip_except = isset($conf['bip_except']) ? unserialize($conf['bip_except'], ['allowed_classes' => false]) : []; |
||
| 100 | |||
| 101 | $can_ban = (!empty($userGroups) && !empty($bip_except)) ? (count(array_intersect($userGroups, $bip_except)) ? false : true) : true; |
||
| 102 | } else { |
||
| 103 | // login failed check |
||
| 104 | if ((!empty($uname) && !empty($pass)) || (!empty($autologin_uname) && !empty($autologin_pass))) { |
||
| 105 | $protector->check_brute_force(); |
||
| 106 | } |
||
| 107 | } |
||
| 108 | |||
| 109 | // CHECK for spammers IPS/EMAILS during POST Actions |
||
| 110 | if (isset($conf['stopforumspam_action']) && $conf['stopforumspam_action'] !== 'none') { |
||
| 111 | $protector->stopforumspam($uid); |
||
| 112 | } |
||
| 113 | |||
| 114 | // If precheck has already judged that they should be banned |
||
| 115 | if ($can_ban && $protector->_should_be_banned) { |
||
| 116 | $protector->register_bad_ips(); |
||
| 117 | } elseif ($can_ban && $protector->_should_be_banned_time0) { |
||
| 118 | $protector->register_bad_ips(time() + $protector->_conf['banip_time0']); |
||
| 119 | } |
||
| 120 | |||
| 121 | // DOS/CRAWLER skipping based on 'dirname' or getcwd() |
||
| 122 | $dos_skipping = false; |
||
| 123 | $skip_dirnames = isset($conf['dos_skipmodules']) ? explode('|', $conf['dos_skipmodules']) : []; |
||
| 124 | if (!is_array($skip_dirnames)) { |
||
| 125 | $skip_dirnames = []; |
||
| 126 | } |
||
| 127 | if (isset($xoopsModule) && is_object($xoopsModule)) { |
||
| 128 | if (in_array($xoopsModule->getVar('dirname'), $skip_dirnames)) { |
||
| 129 | $dos_skipping = true; |
||
| 130 | } |
||
| 131 | } else { |
||
| 132 | foreach ($skip_dirnames as $skip_dirname) { |
||
| 133 | if ($skip_dirname && false !== strpos(getcwd(), $skip_dirname)) { |
||
| 134 | $dos_skipping = true; |
||
| 135 | break; |
||
| 136 | } |
||
| 137 | } |
||
| 138 | } |
||
| 139 | |||
| 140 | // module can control DoS skipping |
||
| 141 | if (defined('PROTECTOR_SKIP_DOS_CHECK')) { |
||
| 142 | $dos_skipping = true; |
||
| 143 | } |
||
| 144 | |||
| 145 | // DoS Attack |
||
| 146 | if (empty($dos_skipping) && !$protector->check_dos_attack($uid, $can_ban)) { |
||
| 147 | $protector->output_log($protector->last_error_type, $uid, true, 16); |
||
| 148 | } |
||
| 149 | |||
| 150 | // check session hi-jacking |
||
| 151 | $masks = $conf['session_fixed_topbit'] ?? null; |
||
| 152 | if (is_string($masks)) { |
||
| 153 | $maskArray = explode('/', $masks); |
||
| 154 | } else { |
||
| 155 | $maskArray = []; // Or some default value that makes sense for your application |
||
| 156 | } |
||
| 157 | $ipv4Mask = empty($maskArray[0]) ? 24 : $maskArray[0]; |
||
| 158 | $ipv6Mask = $maskArray[1] ?? 56; |
||
| 159 | $ip = \Xmf\IPAddress::fromRequest(); |
||
| 160 | $maskCheck = true; |
||
| 161 | if (isset($_SESSION['protector_last_ip'])) { |
||
| 162 | $maskCheck = $ip->sameSubnet($_SESSION['protector_last_ip'], $ipv4Mask, $ipv6Mask); |
||
| 163 | } |
||
| 164 | if (!$maskCheck) { |
||
| 165 | if (is_object($xoopsUser) && count(array_intersect($xoopsUser->getGroups(), unserialize($conf['groups_denyipmove'], ['allowed_classes' => false])))) { |
||
| 166 | $protector->purge(true); |
||
| 167 | } |
||
| 168 | } |
||
| 169 | $_SESSION['protector_last_ip'] = $ip->asReadable(); |
||
| 170 | |||
| 171 | // SQL Injection "Isolated /*" |
||
| 172 | if (!$protector->check_sql_isolatedcommentin((bool)(isset($conf['isocom_action']) ? $conf['isocom_action'] & 1 : 0))) { |
||
| 173 | if (($conf['isocom_action'] & 8) && $can_ban) { |
||
| 174 | $protector->register_bad_ips(); |
||
| 175 | } elseif (($conf['isocom_action'] & 4) && $can_ban) { |
||
| 176 | $protector->register_bad_ips(time() + $protector->_conf['banip_time0']); |
||
| 177 | } |
||
| 178 | $protector->output_log('ISOCOM', $uid, true, 32); |
||
| 179 | if ($conf['isocom_action'] & 2) { |
||
| 180 | $protector->purge(); |
||
| 181 | } |
||
| 182 | } |
||
| 183 | |||
| 184 | // SQL Injection "UNION" |
||
| 185 | if (!$protector->check_sql_union((bool)(isset($conf['union_action']) ? $conf['union_action'] & 1 : 0))) { |
||
| 186 | if (($conf['union_action'] & 8) && $can_ban) { |
||
| 187 | $protector->register_bad_ips(); |
||
| 188 | } elseif (($conf['union_action'] & 4) && $can_ban) { |
||
| 189 | $protector->register_bad_ips(time() + $protector->_conf['banip_time0']); |
||
| 190 | } |
||
| 191 | $protector->output_log('UNION', $uid, true, 32); |
||
| 192 | if ($conf['union_action'] & 2) { |
||
| 193 | $protector->purge(); |
||
| 194 | } |
||
| 195 | } |
||
| 196 | |||
| 197 | if (!empty($_POST)) { |
||
| 198 | // SPAM Check |
||
| 199 | if (is_object($xoopsUser)) { |
||
| 200 | if (!$xoopsUser->isAdmin() && $conf['spamcount_uri4user']) { |
||
| 201 | $protector->spam_check((int)$conf['spamcount_uri4user'], $xoopsUser->getVar('uid')); |
||
| 202 | } |
||
| 203 | } elseif ($conf['spamcount_uri4guest']) { |
||
| 204 | $protector->spam_check((int)$conf['spamcount_uri4guest'], 0); |
||
| 205 | } |
||
| 206 | |||
| 207 | // filter plugins for POST on postcommon stage |
||
| 208 | $protector->call_filter('postcommon_post'); |
||
| 209 | } |
||
| 210 | |||
| 211 | // register.php Protection - both core and profile module have a register.php |
||
| 212 | // There should be an event to trigger this check instead of filename sniffing. |
||
| 213 | $scriptFilename = Request::getString('SCRIPT_FILENAME', '', 'SERVER'); |
||
| 214 | if (basename($scriptFilename) == 'register.php') { |
||
| 215 | $protector->call_filter('postcommon_register'); |
||
| 216 | } |
||
| 217 | |||
| 218 | return null; |
||
| 219 | } |
||
| 220 |
Loading history...
Let?s assume that you have a directory layout like this:
. |-- OtherDir | |-- Bar.php | `-- Foo.php `-- SomeDir `-- Foo.phpand let?s assume the following content of
Bar.php:If both files
OtherDir/Foo.phpandSomeDir/Foo.phpare loaded in the same runtime, you will see a PHP error such as the following:PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.phpHowever, as
OtherDir/Foo.phpdoes not necessarily have to be loaded and the error is only triggered if it is loaded beforeOtherDir/Bar.php, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: